SETTLEMENT AGREEMENT AND MUTUAL RELEASE - SECURITY 


This Settlement Agreement And Mutual Release (together with any exhibits hereto, the 
“Agreement”) is effective as of this ^^ day of October 2014 (the “Effective Date”), by and 
between Vix Technology (USA) Inc. (“Vix”), on the one hand, and, on the other hand, 
Snohomish County Public Transportation Benefit Area, Kitsap County Public Transportation 
Benefit Area, Central Puget Sound Regional Transit Authority, Washington State Department of 
Transportation, Femes Division, Pierce County Public Transportation Benefit Area Corporation, 
City of Everett, and King County (collectively, the “Agencies”). Vix, each of the Agencies, and 
the Agencies together are referred to herein individually as a “Party,” and Vix and the Agencies 
are referred to herein collectively as the “Parties.” 

I. RECITALS 

Jl 

1. The Parties have a binding contract between them for die design, building, 
maintenance, and operation of a regional fare card system (“RFC System”) to facilitate payment 
for transit services on the public transportation services operated by each of the Agencies (the 

“ORCA Contract” or “Contract”). 

2. Unless specifically defined herein, all capitalized terms have the same meaning as 
in the ORCA Contract. 

3. In January 2014, the Parties signed an agreement (the “Tech Agreement”) 
confirming that the Parties had established a Technical Leadership Committee (“Tech Team”) to 
address current and emerging technical issues in the RFC System. The Tech Agreement is 
attached as Exhibit 1 to this Agreement. 

4. The Tech Agreement further confirmed that the Tech Team had developed the 
ORCA Priority 1 Remediation Plan (“P-1”) to address urgent technical issues. The current P-1 
plan is attached as Exhibit 2 to this Agreement. 

5. The Tech Agreement indicated that the Parties disagreed about cost allocations 
for the technical work and desired to resolve their differences through mediation. 

6. Through the Tech Agreement, die Parties agreed to payment provisions for the P- 
1 work while the mediation is pending. 

7. Vix contends that it delivered the RFC System to the Agencies at the time of Full 
System Acceptance and is now in an operating and maintenance phase. Vix contends that any 
change that moves the RFC System beyond the state it was in at Full System Acceptance is new 
work for which it must receive additional payment. 

8. Vix further contends that “Update” is defined narrowly by the Contract and that 
the work at issue in this mediation is comprised of “Upgrades” that are changes to the system 
constituting new work. Vix therefore seeks additional payment for this work. 
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9. The Agencies contend that the ORCA Contract obligates Vix both to maintain the 
RFC System under a high standard and to provide evolving security measures that account for 
technological changes. 

10. The Agencies further contend that an “Update” is broadly defined to encompass 
any work required to fully maintain system functionality, replace outmoded technology, and 
meet evolving security needs. Accordingly, the Agencies contend that Vix must perform the 
work at issue in this mediation for no additional fees. 

11. In the interests of preserving the contractual and business relationship between the 
Parties, providing best service to the public, and resolving the Parties’ dispute regarding work to 
ensure the security of the RFC System, the Parties have sought resolution of various issues 
through mediation and agree to settle their differences as set forth herein. 

NOW, THEREFORE, in consideration of the mutual promises, obligations, and 
covenants set forth in this Agreement, the Parties agree as follows: 

II. TERMS AND CONDITIONS OF SETTLEMENT 

1. P-1 and P-2(al Work 

The “Interim Agreement,” attached hereto as Exhibit 3, is incorporated into this 
Agreement and will be subject to the mutual release provisions of this Agreement 
notwithstanding language to the contrary in the Interim Agreement. 

2. Security Work 

a. Security Obligation 

Nothing in this Agreement alters Vix’s obligations under the Contract regarding 
system security or any other issue, unless expressly stated otherwise. Vix is 
responsible for the security of all aspects of the RFC System except portions of 
the RFC System or the System’s operation under the Agencies’ sole control. The 
parties agree that the following is a non-exclusive list of aspects of the RFC 
System over which the Agencies have sole control: 

• Security scanning of devices hosted on Agency controlled networks; 

• Network segmentation of devices hosted on Agency controlled networks; 
and 

• Physical security of any device not on Vix or Vix’s hosted back office 
premises. 

The terms of this Agreement, together with the Contract, are intended to place on 
Vix as broad an obligation as possible to ensure the security of the RFC System. 

Page 2 of 11 


77330965.1 0017773-00037 




In particular, Vix agrees that it has responsibility for general security defined in 
Sections 3.1-11 and 6.III-1.3 and CDRL 31 of the Contract and the security 
standards described in section (b) below, as such standards may be updated. Vix 
will provide, at the start of each calendar quarter, External and Internal PCI Scan 
results to the Security Review Board, pursuant to the ORCA Contract. Vix will 
comply with the provisions of Sections 3.1-11 and 6.III-1.3 and be responsible for 
all ongoing security costs associated with ensuring general security defined in 
Sections 3.1-11 and 6.III-1.3 and CDRL 31 of the Contract and in complying with 
the security standards described in section (b) below. This paragraph is not 
intended to impose responsibility on Vix in the event the Agencies fail to follow 
Vix’s advice regarding security for elements of the RFC System under the 
Agencies’ sole control. 

b. Security Standards 

At all times, Vix shall comply with all applicable security standards as such 
standards currently exist and as they might appear or evolve in the future, 
including, but not limited to, VISA and MasterCard’s Data Security requirements 
as embodied in VISA’S Cardholder Information Security Program (CISP) and 
MasterCard’s Site Data Protection Program (SDP), the latest version of the 
Payment Card Industry Data Security Standards (PCI-DSS) (currently version 
3.0), and any and all applicable federal, state, and local laws and regulatory 
standards and requirements. This is complementary to Vix’s duty under Sections 
3.1-11 and 6.III-1.3 and CDRL 31 of the Contract to provide all of its Work in 
accordance with the professional standards of persons and firms with specialized 
knowledge, expertise and experience who are leading designers and providers of 
systems, software and hardware used in the automated smart card fare payment 
industry. The separate question of who bears the cost of security work, and 
whether portions of that work is New Work, is addressed in subsection (f) below. 

Vix will provide reasonable coordination and support related to implementation of 
improvements and audits of the Agencies’ security responsibilities. 

c. Audit Compliance 

As part of its compliance with the security standards listed above in sections (a) 
and (b), Vix will make any changes to the RFC System required to obtain a clean 
annual Security Audit, as required by the Contract. To fulfill its security audit 
obligations under the ORCA Contract, Vix will arrange for a system wide audit in 
accordance with the time frame set forth in the Contract: (i) a General Security 
Audit in compliance with the provisions of Sections 3.1-11 and 6.III-1.3 and 
CDRL 31 of the Contract and (ii) an audit of the security of the cardholder data 
environment and compliance with PCI-DSS and other applicable cardholder data 
environment security standards. The audit will cover both General Security and 
PCI-DSS issues. Any items found noncompliant during these audits will be 
remediated by the Party having control of that portion of the RFC System before 
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the date of the next annual audit or within the specific time frame required by the 
security standard, whichever date is earlier. 

d. Security Officer 

On or before December 31, 2014, Vix will hire a qualified security officer solely 
for the purpose of supporting Vix’s performance of the ORCA Contract and who 
will be responsible for Vix’s coordination of (i) monitoring and analyzing the 
RFC System on an ongoing basis to detect any possible security flaws or 
vulnerabilities in addition to investigations performed during any audit, (ii) 
managing and executing work needed to comply with the security standards listed 
above in section (a) and (b) and the findings of any security audit, and (iii) 
preparing and delivering monthly written reports to the Agencies explaining Vix’s 
work and progress to comply with applicable security standards, known risks, and 
mitigation measures. 

e. Future Security Work 

Vix will take a proactive approach to maintaining the security of the RFC System. 
The administration and communications regarding security work will be through 
the Security Review Board. Specifically, by December 31 of the first year of this 
agreement and by October 31 of each year of this agreement thereafter, Vix will 
do the following: 

i. Vix will provide the Agencies with a written report of any known 
new hardware and/or new versions of an operating system or 
software application that will be required to be implemented in the 
coming two calendar year time frame in order for all elements of 
the RFC System to be compliant with all applicable security 
standards listed in section (a) and (b) above. By December 31 of 
the first year of this agreement and by October 31 of each year of 
this agreement thereafter, the Parties shall agree through the Tech 
Team on the scope and costs of an annual work plan (“Annual 
Work Plan”) to comply with required security standards listed in 
section (a) and (b) above, to be approved by the Security Review 
Board. As part of the Annual Work Plan, Vix will provide a 
summary and detailed description of daily, weekly, and monthly 
administrative functions to be undertaken to maintain system 
security; Vix will provide a summary of all planned tests (e.g., 
internal and external scans, penetration tests) and audits for the 
upcoming year; Vix will provide a schedule for all known 
hardware updates and will timely notify the Agencies of such 
updates that are not included in this annual report; and Vix will 
provide a schedule and explanation of priorities for all planned 
work activity for the coming calendar year. 
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ii. Vix will provide a threat and risk assessment identifying known 
and emerging security threats, along with any changes in the 
security standards listed above in sections (a) and (b). 

iii. Vix will provide an analysis of known or expected changes that 
could impact the security of the RFC System and the work, 
hardware, and software needed to maintain the security of the RFC 
System ( e.g ., upgrading from Windows Server 2003), along with 
preliminary plans to address and respond to such changes. 

iv. Vix will provide a description of and time frame for deploying all 
planned software and patch release programs and will timely notify 
the Agencies of such programs that are not included in this annual 
report. 

v. Vix will provide a report, as consistent with Sections 3.1-11 and 
6.III-1.3 and CDRL 31 of the Contract, explaining current 
applicable security standards and threats and its plan of response in 
the event of a security breach. 

On a monthly basis, Vix will provide written reports to the Agencies on its work 
and progress to comply with applicable security standards, known risks, and 
mitigation measures. 

f. Compensation 

On an annual basis, the Agencies will pay Vix 50 percent of the price to meet the 
security requirements described above in sections II(2)(a)-(e), as determined in 
the Annual Work Plan. For any new work to meet security requirements in 
addition to work required by Sections 3.1-11 and 6.III-1.3 and CDRL 31 of the 
Contract or the latest version of PCI-DSS, the Agencies will bear the entire cost. 
On a quarterly basis, Vix will provide to the Agencies written reports and invoices 
documenting the work completed to meet these new security requirements and the 
costs incurred for doing so, which invoices shall be paid within 30 days unless 
otherwise contested. These invoices and reports will include complete and 
detailed descriptions of such work and related costs. Any disputes over such 
reports or invoices will be referred to mediation before Stewart Cogan or, if Mr. 
Cogan is not available, to a mutually agreed upon mediator, whom the Parties 
agree to select through good faith negotiations. 

Vix will cover the costs of the annual third-party Security Audit of the entire RFC 
System required by the ORCA Contract up to $30,000, and the Agencies will pay 
all other costs associated with the annual third-party Security Audit. 

The Agencies also will pay Vix $15,000 per month to account for the new 
Security Officer Vix will hire pursuant to Section 2(d). 
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The Agencies also will pay Vix $30,000 for the development and approval of the 
Annual Work Plan, $7,500 per quarter if Vix passes scheduled quarterly scans, 
$50,000 as an incentive for timely completion and delivery of the third-party 
Security Audit, and $5,000 per month if Vix timely delivers monthly security 
reports as described above. 

3, Mutual Release. 

With respect to the issues addressed in the Interim Agreement and the security 
issues addressed in this Agreement, and only with respect to these issues, Vix, on 
the one hand, and the Agencies, on the other hand, forever release and discharge 
each other and its or their respective subsidiaries, parents, divisions, affiliates, 
officers, directors, owners, shareholders, members, managers, associates, 
predecessors, successors, assigns, agents, partners, employees, insurers, 
representatives, attorneys, and any and all persons acting by, through, under or in 
concert with them, of and from any and all manner of action(s), cause(s) of action 
in law or in equity, and any suits, debts, liens, claims, demands, damages, rights, 
losses, costs, and/or expenses, of any nature whatsoever, now known. 

4 , Public Document. 

This Agreement, including, but not limited to, the attached Exhibits, is a public 
document. 

5 . Representations and Warranties. 

a. Organization, Authorization 

Vix, on the one hand, and the Agencies on the other hand, represent and warrant 
to each other that (i) each Party has full and complete power, capacity, and 
authority to enter into this Agreement and to consummate all transactions and 
perform all obligations contemplated by this Agreement, (ii) the execution of this 
Agreement has been duly authorized by all necessary corporate or official action, 
if any, on the part of each Party, and (iii) this Agreement constitutes a legal, valid, 
and binding obligation, enforceable in accordance with its terms. 

b. Company Consent and Approval 

Vix and the Agencies represent and warrant that (i) all necessary third-parties 
have consented to and approved this agreement, or (ii) such consent and approval 
are not required for the execution of this Agreement or the performance by Vix 
and/or the Agencies of their obligations herein and therein. 

6 . Counterparts. 
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This Agreement may be executed in any number of counterparts, and each 
executed counterpart shall have the same force and effect as the original 
instalment and as if all the Parties to the counterparts had signed the same 
instrument. The Parties also agree that facsimile, portable document format 
(“PDF”), scanned, and/or electronic signatures shall have the same effect as 
manually signed originals and shall be effective upon transmission. 

7 . Construction. 

This Agreement was negotiated and prepared by the Parties and their respective 
attorneys. The Parties acknowledge and agree that the rule of construction that an 
ambiguous contract should be construed against the drafter shall not be applied in 
any construction or interpretation of this Agreement. The singular form of a word 
shall also mean and include to the plural (and vice versa), and the masculine 
gender shall also mean and include the feminine and gender neutral (and vice 
versa). This Agreement is not intended to alter existing contractual obligations, 
except where expressly agreed. 

8. No Third-Party Beneficiaries. 

This Agreement is for the benefit of each Party individually and the Parties 
collectively. There are no intended third-party beneficiaries, and the Parties 
expressly disclaim any unintended third-party beneficiaries to this Agreement or 
any part of this Agreement. 

9. Governing Law. 

This Agreement and any rights, remedies, and/or obligations provided for in this 
Agreement shall be governed, construed, and enforced in accordance with the 
substantive and procedural laws of the State of Washington as of the Effective 
Date. King County Superior Court will be the exclusive venue for resolving any 
dispute arising out of this Agreement. 

10. Entire Agreement. 

This Agreement, including any attached exhibits, constitutes a single, integrated, 
written contract expressing the entire understanding and agreement between the 
Parties, and the terms of the Agreement are contractual and not merely recitals. 
Other than the Contract, no other agreement, written or oral, expressed or implied, 
exists between the Parties with respect to the subject matter of this Agreement, 
and the Parties declare and represent that no promise, inducement, or other 
agreement not expressly contained in this Agreement has been made conferring 
any benefit upon them. 

11. Severability. 
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The provisions of this Agreement are severable. If any portion, provision, or part 
of this Agreement is held, determined, or adjudicated to be invalid, unenforceable, 
or void for any reason whatsoever, each such portion, provision, or part shall be 
severed from the remaining portions, provisions, or parts of this Agreement and 
shall not affect the validity or enforceability of any remaining portions, 
provisions, or parts. 
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12. Headings and Captions. 

The headings and captions inserted into this Agreement are for convenience of 
reference only and in no way define, limit, or otherwise describe the scope or 
intent of this Agreement, or any provision hereof, or in any way affect the 
interpretation of this Agreement. 

13. Attorney’s Fees. 

If any Party brings an action to enforce the terms hereof or declare rights 
hereunder, the prevailing party in any such action, on trial or appeal shall be 
entitled to its reasonable costs, expenses, including any consulting or expert 
expenses, and attorney’s fees to be paid by the other party. 
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IN WITNESS WHEREOF, the Parties have executed this Settlement Agreement, effective as of 
the Effective Date listed above. 



By: _ 

Joint Board 

Name: _ 

Title: _ 

Date: 



(King County Metro Transit) 


Dated: 


Emmett Heath, Snohomish County Public 
Transpiration Benefit Area Corporation 
(Community Transit) 


Dated: 


Tom Hingson, City of Everett (Everett Transit) 


Dated: 


John Clauson, Kitsap County Public 
Transportation Benefit Area Authority (Kitsap 
Transit) 


Dated: 


James Walton, Pierce County Public 
Transportation Benefit Area Corporation (Pierce 
Transit) 
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IN WITNESS WHEREOF, the Parties have executed this Settlement Agreement, effective as of 
the Effective Date listed above. 



By: _ 

Joint Board 

Name: _ 

Title: _ 

Date: 



(King County Metro Transit) 


tfil-Ta h i 



Emmett Heath, Snohomish County Public 
Transpiration Benefit Area Corporation 
(Community Transit) 


Dated: 


Tom Hingson, City of Everett (Everett Transit) 


Dated: 


John Clauson, Kitsap County Public 
Transportation Benefit Area Authority (Kitsap 
Transit) 


Dated: 


James Walton, Pierce County Public 
Transportation Benefit Area Corporation (Pierce 
Transit) 
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IN WITNESS WHEREOF, the Parties have executed this Settlement Agreement, effective as of 
the Effective Date listed above. 


By: _ 

Joint Board 

Name: _ 

Title: _ 


Date: 



Kevin Desmond, King County 
(King County Metro Transit) 


READ AND A 



^>006445 WTTT'fo/T Vff’ 
OsoSjeAL /yU^Az Ec 


Date: 



Dated: 


Emmett Heath, Snohomish County Public 
Transpiration Benefit Area Corporation 



Tom Hingson, City of Everett (Everett Transit) 


Dated: 


John Clauson, Kitsap County Public 
Transportation Benefit Area Authority (Kitsap 
Transit) 


Dated:_ 

James Walton, Pierce County Public 
Transportation Benefit Area Corporation (Pierce 
Transit) 
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IN WITNESS WHEREOF, the Parties have executed this Settlement Agreement, effective as of 
the Effective Date listed above. 



I*//l /// 


By: 


Joint Board 

Name: _ 

Title: 


Date: 


Date: 



Kevin Desmond, King County 
(King County Metro Transit) 

Dated: ____ 

Emmett Heath, Snohomish County Public 

Transpiration Benefit Area Corporation 
(Community Transit) 

Dated:_ 


Tom Hingson, City of Everett (Everett Transit) 



John/Zlauson, Kitsap County Public 
Transportation Benefit Area Authority (Kitsap 
Transit) 

Dated:_ 


James Walton, Pierce County Public 
Transportation Benefit Area Corporation (Pierce 
Transit) 
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IN WITNESS WHEREOF, the Parties have executed this Settlement Agreement, effective as of 
the Effective Date listed above. 



Kevin Desmond, King County 
(King County Metro Transit) 


Dated: 


Emmett Heath, Snohomish County Public 
Transpiration Benefit Area Corporation 
(Community Transit) 


Dated: 


Tom Hingson, City of Everett (Everett Transit) 


Dated: 


John Clauson, Kitsap County Public 
Transportation Benefit Area Authority (Kitsap 
Transit) 


ated: / 


a/27//s4 




i Walton, Pierce County Public 
transportation Benefit Area Corporation (Pierce 
r Transit) 
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Brian McCartan, Central Puget Sound Regional 
Transit Authority (Sound Transit) 
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Dated: 

_j 

Brian McCartan, Central Puget Sound Regional 
Transit Authority (Sound Transit) 

Dated:_ 



Lynne Griffith, WSDOT Ferries Division 
(Washington State Ferries) 
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